An Inside Look at New York State Government Cybersecurity

As part of its enterprise IT transformation, New York state radically transformed its cybersecurity efforts. In this exclusive interview with CISO Deborah Snyder, we see how her team implemented their impressive program.

by / March 18, 2019
New York State Capitol

As part of a massive IT transformation and consolidation effort, the state of New York government has redesigned the way it protects constituent data over the past several years. These extensive cybersecurity efforts are led by the state's impressive Chief Information Security Officer (CISO) Deborah Snyder.

In her government technology leadership role, Deborah Snyder directs the Chief Information Security Office’s comprehensive governance, risk management and compliance program. She is responsible for providing strategic leadership and vision, and assuring business-aligned, risk-based investments that maximize business opportunity and minimize cybersecurity risk.

Snyder leads her team by example with a long list of degrees and professional certifications including, MBA, GCIS, GSTRT, CISSP, CRISC, PMP.

She serves on the NYS Forum Board of Directors, NY CISO Executive Summit Governing Board, is a State Academy for Public Administration Fellow, and member of the Project Management Institute, InfraGard, Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA), and the Institute of Internal Auditors (IIA).

She teaches graduate-level courses, has published numerous articles, and co-authored “SECURE – Insights From The People Who Keep Information Safe,” which offers industry leadership insights and perspective. She is a highly regarded speaker on topics critical to executive-level business and IT professionals.

You can get a sense of Deborah's speaking style and extensive knowledge by viewing this keynote address at the 2018 DFSO Cybersecurity & Payments Roundtable held at Columbia Business School (shown below.)

I first met Deborah (she often goes by ‘Deb’) about four years ago at a NASCIO Conference, when she was the deputy CISO. I was immediately impressed with her depth of knowledge, passion for security and really clear thinking. As you will see in the interview below, she has built quite an amazing team and plan in New York State during a period of time when keeping top cyber staff is very difficult across the country. Now on to the interview.

New York State Chief Information Security Officer Deborah Snyder

Dan Lohrmann (DL): New York has undergone major technology changes and IT centralization over the past few years. Tell us about that.

Deborah Snyder (DS): The New York State Office of Information Technology Services (ITS) was created in 2012, as part of Governor Andrew M. Cuomo’s visionary information technology transformation and consolidation initiative.  ITS is responsible for providing centralized IT services to the State and its governmental entities, with the awareness that our citizens are reliant on these services.  As such, we set statewide technology policy for all state government agencies and monitor all large technology expenditures in the state, seeking efficiencies, lower costs and innovative solutions.  Our strategic goals support the priorities of the administration and are aligned with agency missions to enable better government services.

ITS’ many statutory responsibilities also include providing for the protection of state government cyber security infrastructure, including but not limited to identifying and mitigating vulnerabilities, deterring and responding to cyber events, and promoting cyber security awareness within the state.

Under the governor’s leadership, ITS, through the State Chief Information Security Office, has established a comprehensive cybersecurity program and made significant investments in enhancing the State’s cyber security posture and capabilities.  We cover a wide range of services including statewide policies, standards, program governance, compliance, risk management, information security training and exercises, vulnerability and threat management, threat intelligence analysis, security operations center monitoring, and detection (including oversight of third-party managed security services), and digital forensics and incident response.  As CISO, I also direct and maintain the NYS Cyber Command Center, hotline and related procedures for cyber incident reporting and response and digital forensics, and distributes real-time advisories and alerts.

Our cyber program builds upon well-established industry frameworks and practices (e.g., the National Cyber Security Framework and Top 20 Critical Controls). This assures it supports ITS’ mission of delivering secure, reliable and cost-effective IT services that meet our clients’ business priorities and compliance requirements.

Our “NorthStar” – the mission that drives and guides our priorities and objectives, is “Advancing New York state’s ability to safeguard information, defend against cyber threats, and deliver innovative and secure government services.”  

DL: Since you started your cybersecurity leadership efforts in New York, you have seen a big increase in staffing and security budget. Can you provide some details? How did that happen in such a short period?

DS: Since ITS was formed, our team has grown to over 60 full-time security professionals, and investments in cyber have increased significantly. Part of this growth was simply due to the centralization of security resources as part of our continued efforts to transform and improve services delivery. This has been highly effective in driving standardized security processes and service delivery, to assure consistent performance and quality.

Part of it was making sure cyber security was firmly at the table in budget planning. Our approach was more a conversation about cyber as an element of enterprise risk management.  We provided relevant examples of the growing risk of cyberattacks, and associated costs of incidents and breaches.  We also examined and tracked spending in ways that provided a clearer picture of initiatives across the organization that support enhancing security. In other words, better understanding what we were spending beyond just my office’s direct costs.

We developed mechanisms to factor the cost of security activities into project planning and forecasting, improving our ability integrate incorporated consideration of security requirements into overall costs, scope and schedule.

While we certainly considered what others are spending on cyber security as a percentage of overall spend, particularly other states, it wasn’t used as a yardstick for what we need to spend. We looked at our overall security posture, and what we were spending and where, from a price, performance and capability maturity point of view -- did we have the required capabilities, capacity, level of readiness and resiliency that we need, or were there areas where we needed to invest further. We also built performance and outcome metrics into our efforts. This helped us ensure capital requests and investments were evaluated based on performance and value.

DL: What are some of the top cyberthreats you are seeing now, and how are you dealing with them?

DS: The threats we see are really no different than any other large organization.  NY State government, like other sizable public and private entities, relies on a large and complex technology environment to conduct its operations.  ITS secures the shared technology services, statewide network, data, systems and critical infrastructure used by state and local government entities -- over 160,000 endpoints, 140,000 users and 4,600 applications, across a distributed and complex infrastructure.

Cyber-criminals and hackers are opportunistic.  Attacks try to take advantage of your weakest links.  They “live off the land,” trying to identify and exploit vulnerabilities in system hardware and software that has not been kept patched and up to date.  If you closely examine “root causes,” the majority of breaches you see in the news today are the result of human error – social engineering, misconfigured systems. 

We have seen our share of targeted social engineering attacks – e.g., phishing campaigns aimed at obtaining sensitive information and compromising business email accounts.  We have also seen damaging malware attacks including ransomware that hit healthcare facilities and local government.

While industry reports indicate that ransomware dropped, and coin mining malware became the top means of monetizing attacks in 2018, I believe we are likely to see a resurgence in malware attacks in 2019, due to economic influences negatively affecting cryptocurrency values.

In terms of dealing with these threats, we’ve double down on assuring good cyber hygiene practices -- the essential measures that ensure a solid foundation for security. We also established a strategic roadmap for critical investments that will continue to enhance the State’s ability to protect data, systems and infrastructure, and strengthen our defense against next-generation cyber-attacks.

Critical success factors:

  • Maintain an asset inventory so you know what you need to protect, and what state it is in.
  • Control access based on a “need to know,” and assure strong user authentication. Deploy multi-factor authentication, manage your user accounts throughout their entire lifecycle – ensure proper Identify vetting, background clearance practices, account provisioning and deprovisioning, and pay close attention to privileged accounts.
  • Ensure secure configurations on hardware/software on servers, workstations/laptops and mobile devices.
  • Continuously assess systems to identify and remediate vulnerabilities, reducing opportunities for attackers to target weaknesses.
  • Monitor and analyze logs, and alert on suspicious events, to help swiftly identify, understand, respond and recover from incidents.

Once you have the basics in place, taking a risk-based approach is key.  Every organization has limited resources and the fiduciary responsibility to use them wisely.  Prioritizing your efforts based on what is most probable and impactful for your organization and sector helps ensure a solid return on investments.  Incidents, industry reports, and government sector trends indicate that the majority of attacks are coming in through email, web browser and application vulnerabilities, so enhancing security in these areas first provided a practical approach.

We've learned to NEVER UNDERESTIMATE THE VALUE OF STRONG, PROACTIVE DEFENSES.

Essentially, make it harder for your users to make mistakes, and easier for us to detect, respond and recover when they do.

ITS proactively protects our clients by blocking well over 7 million security events daily —an extremely powerful statement of the business value and return on cyber security investments. 

Prevention-focused technologies, improved web-browser filtering, and intrusion detection help strengthen defenses and security posture.

  • Protect sensitive data - encryption is the best data protection assurance going, but also consider data loss protection (DLP), information rights management (IRM), automated monitoring for unauthorized access and transfer of sensitive information, and proactively alerting on/or blocking such activities.
  • Enhance web browser and email protections reduce opportunities for attackers to manipulate human behavior, by filtering and blocking malicious links and attachments. Deploy email authentication (trust) policies to reduce fraudulent email (spoofing) and potential financial and reputational risk.

Next-generation security platforms, automation, and standardization create efficiencies and cost savings.  Streamlining threat analysis and incident response processes helps increase capacity and improve active response times.

Heuristics and AI-based solutions detect, alert on and/or block “anomalous behaviors” that exceed tolerances and send up red-flags.  Segmenting networks helps isolate and more tightly control access to critical systems and highly sensitive data.

“SECURE-BY-DESIGN, BUILD OR BUY” - Implement Secure System Development Life Cycle processes to manage the security of all in-house developed and acquired software to prevent, detect, and correct security weaknesses.  Scan applications during development and before migration into productions to identify and remediate application vulnerabilities.  If you have many applications, take a risk-based approach and start with systems that are “mission-critical” and/or “Internet-facing” and containing sensitive data.

DL: What are your top strategic security projects? What are the goals you hope to achieve moving forward?                        

DS: Our strategic roadmap and priority initiatives encompass multiple themes, including enhancing governance and visibility, protecting business email and user accounts; safeguarding sensitive data; protecting business applications and devices; and strengthening NY State’s critical infrastructure.

In 2017 we requested capital investment to combat next-generation threats to government, citizens and business.  The “first wave” of these initiatives are now underway and we are making good progress.

Our goal is delivering business value to the State and our client agencies.  We do that by ensuring that all cyber security initiatives and investments align with business objectives and industry practices, and are adaptable to the current threat landscape.

DL: How has your team evolved over the past few years – including use of contractors?

DS: Cyber security is a dynamic field requiring specialized skills and a highly-trained workforce. Staying ahead of threats, and responding quickly to alerts and incidents requires proficient teams.  Like many other large organizations, we leverage managed security services to augment continuous monitoring and detection capabilities and maintain a global perspective on the threat landscape.

One of our biggest strengths is recruiting and hiring for the right skill sets and investing in our people. Opportunities for growth and learning are highly-valued.  Our training and professional development programs reflect this, providing a wide variety of professional development and skills-based opportunities and education initiatives.

In June 2018, our 21st NYS Annual Cyber Security Conference – the longest running State-sponsored conference of its kind, drew over 1,600 registrants and 46 sponsors, for 48 sessions across 14 tracks and 3 days.  We also offered sector-specific sessions for local government, education, energy, health, and legal, plus leading research and hands-on skills training. 

Over 68% of our security staff hold one or more industry certifications.  Our teams routinely participate in ongoing skills training and attend top industry conferences.  Over 50% of the NYS Cyber Command Center team has trained at a top industry cyber range.  These investments are paying dividends in capabilities and performance.

We don’t stop at just the security team.  Since security is integrated in all that we do at ITS, we invest across the organization – e.g., ITS developers have been trained in application security principles and secure code testing tools and techniques, database administrators receive training on database security, operations teams in secure architecture design, and configurations management. 

As our CIO, Bob Samson often emphasizes, “All IT is Cyber.”   There is a cyber component to every initiative, device, service and product we provide.  All of it must be configured and operate securely to reduce risk to NYS’ data, systems and infrastructure. A big part of doing security well is every employee knowing how to apply security concepts to their job, and being able to optimize the tools and technologies we have in place.

Collaboration and strong partnerships are critical factors in our success.  Cyber security is a shared responsibility that requires “all hands on deck” collaboration.  We actively engage our clients in managing and understanding their cyber risk, and assure collaboration across internal teams.  We also maintain strong partnerships across federal, state and local government, and critical infrastructure sectors.

We hold monthly Information Community of Practice and Cyber Partners Meetings to promote best practices, share intelligence, and conduct and actively participate in federal, state and local government cyber exercises.

In 2018, joint efforts by CISO and the MS-ISAC resulted in the registration of all 62 NYS counties, and over 150 schools and municipalities.  These organizations now have full access to beneficial cyber tools, resources and services at no cost.   We are also supporting the State’s Education Department in their efforts to enhance security across local Regional Information Centers, over 700 K-12 schools, and 65 state university campuses.

DL: What tips can you give others on attracting and maintaining cyber talent?

DS: It’s no secret that increasing demand, coupled with a scarcity of skilled cyber professionals has created a global industry gap, making the job market and salaries highly competitive.  According to recent estimates, there will be as many as 3.5 million unfilled positions in the industry by 2021.

Creative recruitment, talent retention and professional development efforts are key to ensuring skilled and effective security teams.  Cyber security professionals can come from both technical and non-technical backgrounds. We actively look for smart, motivated individuals within our organization that have the right collaboration, communication and analytical skills.

We are actively engaged in building the cyber talent-pool for the future.  We support STEM/STEAM and tech-education programs in schools across the state.  Our popular NYS K-12 Cyber Poster contest experienced a 200 percent growth over the past five years, with five national winners coming from NY State.  

We have strong relationships with universities and colleges that serve as feed-streams for new talent, and are leaning in to help drive programs and curriculum that aligns with workforce needs.  We are out there at career days and job fairs, educating students about the wide range of opportunities in the profession.  Our Cyber Open House events for college students are always well-attended. 

Robust internship, fellowship, and mentoring programs help us attract new talent to government service.  Veterans programs are another channel we are taking advantage, tapping into the intelligence training and hands-on experience of former military service personnel. 

Our cyber outreach efforts recently received the National Cyber Security Alliance Cyber Secure Community Award. This first-ever award highlights organizations that exemplify excellence in cyber security, help everyone stay safer and more secure online, and promote cyber security as a shared responsibility. NCSA recognized ITS with this award for its efforts to positively impact the community at large through its comprehensive cyber security awareness and outreach programs.

I also believe in giving back and helping the next wave, teaching, routinely speaking, and mentoring, as a means of engaging current and future professionals, and sharing knowledge and skills that can help them be successful in today’s workplace.

DL: Tell us about your approach to securely moving data to the cloud.

DS: ITS has taken a hybrid strategy.  We maintain New York’s private government cloud environment – the Excelsior Cloud, the first of its kind in the nation, in our state-of-the-art data centers.  We also pragmatically take advantage of public cloud services to support various functions and capabilities where appropriate - e.g., Microsoft Office 365, call center/help desk functions and web site hosting.

As the mega trends of ubiquitous computing and digital business transformation continue to drive cloud services adoption, it is challenging to balance benefits – cost, reliability and accelerating innovation, while still assuring security.

Foundational to our efforts is a cloud solution roadmap and cloud services broker model that automates and standardizes IT infrastructure while reducing operating costs and time to deliver applications. This ensures a flexible, elastic, and cost-effective multi-cloud services, with high-availability and disaster recovery enhancements that enable agencies, employees and citizens with best-in-class services, and provides a frictionless customer experience.

Also crucial is the development of the state data strategy being advanced by our Chief Data Officer, to assure we understand what data we have, ownership, business uses, and associated security and privacy requirements.

We have established control expectations and apply well-vetted industry standards and methods to help assess cloud services and create transparency into vendor security posture.  This ensures we clearly convey our clients’ business requirements and the security capabilities vendors must have in place.

From there, it comes down to requiring and maintaining solid controls, including strong authentication and identity management, secure configuration, vulnerability testing protocols, encryption, secure application programming interfaces and microservices, and micro-segmentation where appropriate.

DL: Anything else you want to add?

DS:   When you’re out there blazing the trail and leading the charge, it might be easy to lose your connection to the “why” behind what we do.  It’s important to keep that “Northstar” – that sense of purpose and connection with our client agencies and people we serve, clearly in front us.  Our teams are highly-motivated by the challenging and meaningful work we do, and the diverse range of issues we are engaged in.  Information security is an incredibly dynamic field – so much so that it can feel like a different job every day. That’s what keeps it interesting and relevant.  

If we accept the notion that technology touches every aspect of government, the robust set of interconnected modern technologies ITS provides has the power to truly transform how we deliver secure government services.

Our CIO Bob Samson routinely talks about the IT mega-trends– ubiquitous computing, data, cloud services, and cyber security, that are shaping our world and accelerating innovation.  He emphasizes the relationship between these trends, and the ability to advance the State’s agenda, and help agencies solve their “grand challenges.”

Moving forward, vigilance, resilience, and strategies that strengthen and “future-proof” cyber security defenses, will be ongoing themes.  As we continue to support the State in embracing “digital” and transforming government services, our cyber security strategy must balance state-of-the-art security services, with the agility to make integrating security frictionless.  Security is no longer just something we do; it’s become an integrated part of everything we are.

New York State is showing the nation how this is done, to the benefit of our agencies, residents and businesses.  “Government Serves.”  Excelsior –Ever Upward!

Dan Lohrmann: I want to thank you Deb for taking the time to do the interview and for sharing your insights, experiences, ideas and New York State's many accomplishments with us. You certainly are providing an excellent example of inspired leadership for the rest of the nation to follow in cybersecurity. Your time is greatly appreciated.  

Platforms & Programs